A wide variety of malicious software (i.e., malware) can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Malicious entities sometimes attack servers that store sensitive or confidential data that can be used to the malicious entity's own advantage. Similarly, other computers, including home computers, must be constantly protected from malicious software that can be transmitted when a user communicates with others via electronic mail, when a user downloads new programs or program updates, and in many other situations. The different options and methods available to malicious entities for attack on a computer are numerous.
Conventional techniques for detecting malware, such as signature string scanning, are becoming less effective. Modern malware is often targeted and delivered to only a relative handful of computers. For example, a Trojan horse program can be designed to target computers in a particular department of a particular enterprise. Such malware might never be encountered by security analysts, and thus the security software might never be configured with signatures for detecting such malware. Mass-distributed malware, in turn, can contain polymorphisms that make every instance of the malware unique. As a result, it is difficult to develop signature strings that reliably detect all instances of the malware.
Further, attackers often camouflage malware by making the malware appear to be legitimate. Security software often implicitly trusts digitally-signed software. The signature identifies the entity that created the software and proves that the file containing the software has not been modified since signing. Therefore, the security software assumes that signed software does not contain malware and gives the software a low level of scrutiny. Attackers can obtain signing certificates through fraud or theft and use the certificates to sign files containing malware, thereby defeating the security software.
Newer techniques for detecting malware involve the use of reputation systems. A reputation system can determine the reputation of a file or other object encountered on a computer in order to assess the likelihood that the object is malware. One way to develop the reputation for an object is to collect reports from networked computers on which the object is found and base the reputation on information within the reports. However, in a system in which reports are collected from networked computers on which the object is found, there is a lag period between when a file is first released and when that file has been reported to the reputation system. In addition, the use of a compromised certificate to sign files may not be detected until after digitally signed files are already in circulation, leading to a lag period before the certificate can be revoked.
In view of the foregoing, it may be understood that there may be significant problems and shortcomings associated with current digital signing and reputation system technologies.